1. Using a graphics program, design several security awareness posters on the following themes: updating antivirus signatures, protecting sensitive information, watching out for e-mails viruses, prohibiting the personal use of company equipment, changing and protecting passwords, avoiding social engineering, and protective software copyrights.
Additional ideas: Upcoming security classes, reduce unintended accidents caused by employees.
2. Search on the Web for security education and training programs in your area. Keep a list and see which category has the most examples. See if you can determine the costs associated with each example. Which do you think would be more cost-effective in terms of both time and money?
There are some education and training programs around the area, especially in Duluth. Education programs are focused on the public that wants to learn about information security. Training programs are targeted to companies that want to increase the value of its employees. The second ones, training programs, are more cost-effective than the other wants since are more technical concepts, what makes them at the same time more expensive as well.
3. Search the Web for examples of issue-specific policies. What types of policies can you find? Using the format provided in this chapter, draft a simple issue-specific policy that outlines fair and responsible use of computers at your college, based on the rules and regulations of your institution. Does your school have a similar policy? Does it contain all the elements listed in the text?
The policies that can be found are policies of use.
Statement of Policy
Every authorized user (guest, employee, student) must follow the policy of the UWS network.
Mobile devices and laptop are permitted. Data transmission will be encrypted to protect the information and confidentiality of the user. Some sites might not be accessible.
It is responsibility of the network administrator to maintain its access and security at all times.
Violations of Policy
If any of the policies is violated, the network administrator will have the right to automatically terminate the access of the user to the network.
Policy Review and Modification
This policy will be reviewed by the UWS on an annual basis, or as necessitated by changes in technology, and modified where appropriate.
Limitations of Liability
The UWS has no responsibility of the use that the users do of this network.
Yes, the university has a policy and can be found here: https://www.uwsuper.edu/iits/policies/guidelines.cfm
4. Use your library or the Web to find a reported natural disaster that occurred at least six months ago. From the news accounts, determine whether local or national officials had prepared for the disaster plans and if the plans were used. See if you can determine how the plans helped officials improve disaster response. How do the plans help the recovery?
In August 2016, a powerful 6.2 earthquake rattled Italy. It was completely unexpected and the officials were not prepared to face the situation. It is complicated to prevent nature disaster, but having “general plans” for situations like this one would help to reduce its impact. The plans would definitely help the recovery, mainly because the effects would not be as tragic as they might be without preparation.
5. Classify each of the following occurrences as an incident or disaster. If an occurrence is a disaster, determine whether business continuity plans would be called into play.
a. A hacker breaks into the company network and deletes files from a server.
b. A fire breaks out in the storeroom and sets of the sprinklers on that floor. Some computers are damaged, but the fire is contained.
c. A tornado hits a local power station, and the company will be without power for the next three days.
d. Employees go on strike, and the company could be without critical workers for weeks.
e. A disgruntled employee takes a critical server home, sneaking it out for hours.
For each of the scenarios (a-e), describe the steps necessary to restore operations. Indicate whether law enforcement would be involved.
a. Incident, law enforcement should be involved. The IT department should find a way to restore the files and the information that was deleted.
b. Incident, law enforcement might be involved to determine if the fire was an accident or not. If not, the company would need to make an investment to acquire new equipment to replace the one that was damaged.
c. Disaster, law enforcement should not be involved. The company should develop a plan to operate from a different location.
d. Incident, law enforcement might be involved depending on the actions of the employees. The company should determine how many employees will go on strike, and what can they do to minimize the effect that this will have to their daily operations.
e. Incident, law enforcement should be involved to get back the assets of the company and investigate the actions of the employee. The company should fire the employee, and determine what circumstances let to this situation with the objectives to avoid them in the future.